In this event recap, catch up on what the Privasec team has been up to in the recent “ISO 27001 Certification Journeys” joint webinar with Association of Information Security Professionals (AiSP).

To start off, let’s dive into the definitions of terms talked about in the webinar.

What is an ISMS?
Information Security Management System (ISMS) is a system that prescribes an organization's approach to information security.

What is ISO 27001?
ISO 27001 is an international standard that sets out the specification for an ISMS. It contains a set of best practices to allow organisations to implement a world class risk management system to strategise and coordinate their security investments whilst getting marketable recognition for it.

An ISO 27001 certification can provide assurance to clients and stakeholders, where it shows that the company is taking the risk-based approach for their system. It also gives confidence to clients that the product comes from a company that is secure and alert about the risks.

In this webinar, our panel of industry professionals shared and discussed their perspectives on the the topic of ISMS and ISO 27001 certification. 

The session started off with Leonard Ong, the Regional Information Security Officer of GE Healthcare, sharing the GE Healthcare ISO 27001 Certification Journey and unique ISMS challenges the company faced in the Healthcare/MedTech industry. 

Next, we had our own Regional Head, Lim Quan Heng, who shared about Privasec’s implementation approach for ISO 27001 Certification, using the Plan, Do, Check, Act Framework and also addressed six common misconceptions surrounding ISO27001 Certification. 

Afterwards, Wong Onn Chee, representing Rajah & Tann Cybersecurity and AiSP, then shared on the use of ISO 27001  as an over-arching security governance standard where its certifiability means that it is subjected to regular surveillance audits by Certifying Bodies. He expanded the discussion by sharing more detailed technical standards like CIS Controls v8.

Lastly we have Shirish Bapat from Lloyd’s Register Quality Assurance Limited, who shared about the assessment process for ISO 27001 certification from the perspective of a Certification Body. 

Lastly, the event is concluded with a meaningful, thought-provoking Q&A session that moderated by Joey Cheng, Regional Account Manager at Privasec . Check out the Q&A below. 

We hope you all enjoyed the event as much as we did! It has been very insightful session hearing from the speakers across various industries. Thank you to all our esteemed speakers and wonderful participants and we hope to see everyone again!

Questions & Answers (Q&A)​

Does ISO 27001 cover the Personal Data Protection Act 2010?

As the AISP SIG lead for Data and Privacy special interest groups, Wong Onn Chee addresses the question by highlighting the different Personal Data Protection Act (PDPA) editions.

The Personal Data Protection Act (PDPA) 2010 is used in Malaysia,  and Singapore uses the Personal Data Protection Act (PDPA) 2012.  Both Acts are pretty similar, other than the recent revision in February 2021 for Singapore’s Act. 

Firstly, ISO 27001 would form a pretty good demonstration of your organisation complying with the protection principles enshrined in the PDPA. However, in PDPA, principles like consent are not covered in ISO 27001, where there are no specific controls related to consent in ISO 27001. Also, in Singapore’s recent revision of PDPA, there are updates for Accountability, the Right to Access personal data, the Right to Update personal data, etc.

Secondly, PDPA has simple data protection requirements, with a few clauses drafted for it. However, depending on the industry and sector your organisation operates in, like Healthcare or Financial Services, there will be more detailed requirements for data protection.

At a high level, the ISO 27001 does demonstrate your organisation’s ability to meet the minimum threshold expected to protect personal data.

Shirish Bapat also shared his perspective about organisations wanting to know what acts they need to consider.

He mentioned that this depends on the organisation’s type of industry, country of operations, and the local context and regulations. The standards are just a framework, and do not define which legislation the organisation should follow.

The organisation needs to identify the applicability of the legal requirements. For example, the payment industry would need to comply with payment legislations like Payment Card Industry Data Security Standard (PCI DSS). All in all, the organisation would have to identify the context and the risk processes involved.

There are many legislations out there, where some are mandatory, and some are stipulated by the local regulations and government. Some can also be used as guidelines, where organisations can learn and take reference from to better your organisation’s systems.  

Wong Onn Chee also raised a discussion about the recent increase in Singapore’s data breach news. He highlighted the concern regarding the selection of third-party vendors where many of the data breaches are due to outsourced vendors.

In his experience of handling data breaches in Singapore, he stated, none of the vendors involved in the data breaches were ISO 27001 certified. Thus, he mentioned that while direct causation cannot be concluded, a correlation could be drawn from there.

And that he brought a point, highlighting the question of how do we select our vendors? And are we selecting vendors based on cost and quality but the expense of security?   

Lim Quan Heng also added on the discussion of third-party risk, many recent incidents of data breaches have been associated with external organisations that businesses rely on as part of their supply chain. The lack of third-party risk management is also commonly identified in a general assessment of an organisation.

From the legal point of view, the first layer of addressing this would be the right to audit your vendor. However, most organisations do not have terms in their contracts to do so, which would exclude the organisation’s ability to do due diligence on third parties. Also, many organisations lack the proper framework to manage third party due diligence.

In the recent revision of the Monetary Authority of Singapore Technological Risk Management (TRM) Guidelines, there is also more emphasis on Third-Party Risk. This should be part of any organisation’s arsenal, especially if the organisation deals with technology as the core element of the organisation.